Security fixes are applied to the latest released version of dmtri on PyPI.
Please upgrade to the newest release before reporting an issue.
Please do not open a public GitHub issue for security vulnerabilities.
Instead, report privately via GitHub's private vulnerability reporting (Security → Report a vulnerability). We aim to acknowledge reports within a few working days and will coordinate a fix and disclosure timeline with you.
dmtri orchestrates Ansible against EIDA nodes and therefore touches sensitive
material. Note that:
- Host credentials (SSH users/passwords, Mongo credentials) live in your local
hosts.ini, created bydmtri initfrom a placeholder example. This file is never committed and is not bundled into the published package. - Report values passed to
dmtri fixare validated and rejected if they contain shell metacharacters, so untrusted report content cannot reach a playbook as an injected command.
If you believe any credential or sensitive path is exposed in the repository or a published artifact, treat it as a vulnerability and report it privately as described above.